[jira] [Updated] (HDFS-6392) Wire crypto streams for encrypted files in DFSClient

[Yi Liu (JIRA)]

     [ 
https://issues.apache.org/jira/browse/HDFS-6392?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Yi Liu updated HDFS-6392:
-------------------------

    Attachment: HdfsDataInputStream-HdfsDataOutputStream_crypto.diff

Hi Charles and Andrew. The {{DFSOutputStream}} and {{DFSInputStream}} do not 
have constructors that accept stream, so it’s not suitable to do as what I 
suggested. 
The delegation approach you mentioned is complicated and not extendable, may 
cause issue in future.

I have another thought as following (Please look at the attachment 
_HdfsDataInputStream-HdfsDataOutputStream_crypto.diff_):

*1.* Do not modify {{HdfsDataInputStream}} constructor which accepts 
{{DFSInputStream}}, I think that only {{DFSInputStream}} type of input stream 
is accepted is reasonable. But we need to support crypto, I proposal we define:
{code}
public HdfsDataInputStream(DFSInputStream in) throws IOException {
    super(in);
}
  
public HdfsDataInputStream(CryptoInputStream<DFSInputStream> in) 
    throws IOException {
  super(in);
}
{code}

The Crypto input stream which only wraps {{DFSInputStream}} is acceptable, then 
we can get DFSInputStream easily:
{code}
private DFSInputStream getDFSInputStream() {
  if (in instanceof CryptoInputStream) {
    return ((CryptoInputStream<DFSInputStream>) in).getWrappedStream();
  }
  return (DFSInputStream) in;
}
{code}

*2.* Same handling for {{HdfsDataOutputStream}}, and specially for {{public 
void hsync(EnumSet<SyncFlag> syncFlags) throws IOException}}:
{code}
public void hsync(EnumSet<SyncFlag> syncFlags) throws IOException {
  OutputStream wrappedStream = getWrappedStream();
  if (wrappedStream instanceof CryptoOutputStream) {
    ((CryptoOutputStream<DFSOutputStream>) wrappedStream).flush();
    wrappedStream = ((CryptoOutputStream<DFSOutputStream>) wrappedStream).
        getWrappedStream();
  }
  ((DFSOutputStream) wrappedStream).hsync(syncFlags);
}
{code}

Please get more info from the attachment.

If you and [~andrew.wang] agree with this approach, please get the modification 
of {{HdfsDataInputStream}} and {{HdfsDataOutputStream}} in your patch; and for 
modification of {{CryptoOutputStream}} and {{CryptoInputStream}}, I will create 
a new JIRA in Hadoop common project to handle.


>  Wire crypto streams for encrypted files in DFSClient
> -----------------------------------------------------
>
>                 Key: HDFS-6392
>                 URL: https://issues.apache.org/jira/browse/HDFS-6392
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: namenode, security
>            Reporter: Alejandro Abdelnur
>            Assignee: Charles Lamb
>         Attachments: HDFS-6392.1.patch, HDFS-6392.2.patch, HDFS-6392.3.patch, 
> HdfsDataInputStream-HdfsDataOutputStream_crypto.diff
>
>
> When the DFS client gets a key material and IV for a file being 
> opened/created, it should wrap the stream with a crypto stream initialized 
> with the key material and IV.



--
This message was sent by Atlassian JIRA
(v6.2#6252)